dnscache: fix eval and start
This commit is contained in:
parent
721e6959b3
commit
62fae6a546
|
@ -7,7 +7,8 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
|
||||||
listenPlain = [ "0.0.0.0:53" "[::0]:53" ];
|
listenPlain = [ "0.0.0.0:53" "[::0]:53" ];
|
||||||
extraConfig = /* lua */ ''
|
extraConfig = /* lua */ ''
|
||||||
modules = {
|
modules = {
|
||||||
'http',
|
-- 'http', -- module 'cqueues' not found
|
||||||
|
'policy',
|
||||||
'predict',
|
'predict',
|
||||||
'prefill',
|
'prefill',
|
||||||
'serve_stale < cache', -- servce stail records while refreshing the record
|
'serve_stale < cache', -- servce stail records while refreshing the record
|
||||||
|
@ -18,8 +19,8 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
|
||||||
cache.size = 500 * MB
|
cache.size = 500 * MB
|
||||||
cache.min_ttl(60)
|
cache.min_ttl(60)
|
||||||
|
|
||||||
net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
|
-- net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
|
||||||
http.prometheus.namespace = 'resolver_'
|
-- http.prometheus.namespace = 'resolver_'
|
||||||
|
|
||||||
-- dns42
|
-- dns42
|
||||||
policy.add(policy.suffix(
|
policy.add(policy.suffix(
|
||||||
|
@ -35,19 +36,21 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
|
||||||
|
|
||||||
-- size.dns.localZones
|
-- size.dns.localZones
|
||||||
policy.add(policy.suffix(
|
policy.add(policy.suffix(
|
||||||
policy.STUB({'${config.site.net.serv.hosts4.dns}', ${lib.concatStringsSep ", " (map (hosts6: "'${hosts6.dns}'") (builtins.attrValues config.site.net.serv.hosts6))}})
|
policy.STUB({'${config.site.net.serv.hosts4.dns}', ${lib.concatStringsSep ", " (map (hosts6: "'${hosts6.dns}'") (builtins.attrValues config.site.net.serv.hosts6))}}),
|
||||||
policy.todnames({${lib.concatStringsSep ", " (map (zone: "'${zone.name}'") config.site.dns.localZones)}})
|
policy.todnames({${lib.concatStringsSep ", " (map (zone: "'${zone.name}'") config.site.dns.localZones)}})
|
||||||
))
|
))
|
||||||
|
|
||||||
-- forward to dns caches
|
-- forward to dns caches
|
||||||
policy.add(policy.slice(
|
-- TODO: package psl
|
||||||
policy.slice_randomize_psl(),
|
policy.add( --policy.slice(
|
||||||
|
policy.all(
|
||||||
|
--policy.slice_randomize_psl(), -- lua-psl is required for policy.slice_randomize_psl()
|
||||||
-- quad9
|
-- quad9
|
||||||
policy.TLS_FORWARD({
|
policy.TLS_FORWARD({
|
||||||
{'2620:fe::fe', hostname='dns.quad9.net'},
|
{'2620:fe::fe', hostname='dns.quad9.net'},
|
||||||
{'2620:fe::9', hostname='dns.quad9.net'},
|
{'2620:fe::9', hostname='dns.quad9.net'},
|
||||||
{'9.9.9.9', hostname='dns.quad9.net'}
|
{'9.9.9.9', hostname='dns.quad9.net'}
|
||||||
})
|
}),
|
||||||
-- cloudflare
|
-- cloudflare
|
||||||
policy.TLS_FORWARD({
|
policy.TLS_FORWARD({
|
||||||
{'2606:4700:4700::1111', hostname='cloudflare-dns.com'},
|
{'2606:4700:4700::1111', hostname='cloudflare-dns.com'},
|
||||||
|
@ -55,7 +58,7 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
|
||||||
{'1.1.1.1', hostname='cloudflare-dns.com'},
|
{'1.1.1.1', hostname='cloudflare-dns.com'},
|
||||||
{'1.0.0.1', hostname='cloudflare-dns.com'}
|
{'1.0.0.1', hostname='cloudflare-dns.com'}
|
||||||
})
|
})
|
||||||
})))
|
))
|
||||||
|
|
||||||
-- allow access from our networks
|
-- allow access from our networks
|
||||||
'' + lib.concatMapStringsSep "\n" (cidr: "view:addr('${cidr}', policy.all(policy.PASS))") [
|
'' + lib.concatMapStringsSep "\n" (cidr: "view:addr('${cidr}', policy.all(policy.PASS))") [
|
||||||
|
@ -72,8 +75,7 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
|
||||||
"2a00:8180:2000:37::1/128" "2a00:8180:2c00:200::/56"
|
"2a00:8180:2000:37::1/128" "2a00:8180:2c00:200::/56"
|
||||||
# flpk
|
# flpk
|
||||||
"${config.site.net.flpk.subnet4}" "2a0f:5382:acab:1400::/56 allow"
|
"${config.site.net.flpk.subnet4}" "2a0f:5382:acab:1400::/56 allow"
|
||||||
] + /* lua */ ''
|
] + "\n" + /* lua */ ''
|
||||||
|
|
||||||
|
|
||||||
-- drop everything that hasn't matched
|
-- drop everything that hasn't matched
|
||||||
view:addr('0.0.0.0/0', policy.all(policy.DROP))
|
view:addr('0.0.0.0/0', policy.all(policy.DROP))
|
||||||
|
@ -82,14 +84,14 @@ lib.mkIf config.site.hosts.${hostName}.services.dnscache.enable {
|
||||||
predict = {
|
predict = {
|
||||||
window = 15, -- sampling window
|
window = 15, -- sampling window
|
||||||
period = 24*(60/15) -- track last X hours, divide through sampling window
|
period = 24*(60/15) -- track last X hours, divide through sampling window
|
||||||
},
|
}
|
||||||
|
|
||||||
prefill.config({
|
-- prefill.config({
|
||||||
['.'] = {
|
-- ['.'] = {
|
||||||
url = 'https://www.internic.net/domain/root.zone',
|
-- url = 'https://www.internic.net/domain/root.zone',
|
||||||
interval = 86400, -- seconds
|
-- interval = 86400, -- seconds
|
||||||
}
|
-- }
|
||||||
})
|
-- })
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user